Page 213 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 213
ICT for Health: Networks, standards and innovation
disruptive and needs to be presented in a clearly These modern technologies, such as mobile applications
distinguishable form, meaning that it may not be buried and wearables process large amounts of personal (health)
within the fine print of a privacy policy or contract [24]. data. The technologies make it possible to continuously
monitor the user. Most people carry their mobile phone
While at first sight it looks as if the GDPR offers sufficient with them during the day and wearables made tracking even
protection against the processing of health data, the easier. A smart watch or smart glasses for example allow
practical reality is quite different. Previous research has users to track their health and fitness with objects which are
shown that companies offering health apps are by no means easy to carry. While making life and health easy for users,
transparent about their processing activities and whom they large amounts of health data become available to
share the data with [25]. While data subjects to some degree commercial companies who are by no means under any
consent to data processing, some health apps do not even obligation of professional secrecy and what happens behind
recognize the fact that they process health data, resulting in the scenes of these technologies is unknown to many. When
a lack of legal basis. As a result of this, risks of violation of unravelling what happens, behind the scenes, to the data we
rights and freedoms remain, as well as physical and stumbled upon 2 major ways that the technologies function
practical challenges related to the use of modern that are relevant for this article. Many health apps and
technologies to process health data, such as jurisdiction and wearables by default:
exercise of rights.
1. collect data via an app and store it on the device
3. BEHIND THE SCENES OF MODERN itself until the user actively choses to send the data
TECHNOLOGIES to a cloud or server;
2. collect data via an app and store it on a (cloud)
Processing personal data according to the GDPR includes server. In this case the data exists outside of the
‘collection, recording, organization, structuring, storage, app and is accessible to the developer, i.e. the
adaptation or alteration, retrieval, consultation, use, device is used as a tool to collect data, the data can
disclosure by transmission, dissemination or otherwise be seen separately from the app considering that it
making available, alignment or combination, restriction, exists even if the app is deleted.
erasure or destruction’ of data [26]. This very broad
definition means that basically any action performed on If we picture a user in the first situation and we take the
personal data is processing. The one word that is missing example of an app that counts how many steps someone
from the definition is transfer of data. What is however takes during the day, the app counts the steps and stores the
mentioned by the definition in Article 4 (2) GDPR is that data on the device itself by default. The data is stored on the
processing also includes disclosing the data by transmission device for as long as the user does not delete the data or
and dissemination or otherwise making it available. While chooses to store the data somewhere else, for example
it is interesting that transfer is not included in the definition when the storage space of the device is full. In other words,
for processing, disclosing and making data available can be the collected data remain on the user’s device until the user
seen as transfer of data. actively decides to store the data elsewhere, outside of the
app or wearable.
Transfer has an important role in the GDPR. While the free
flow of information has always been promoted by data More importantly for this research is however the second
protection legal frameworks, the major concern was that situation, where data is collected by an app or wearable
data protection legislation could be circumvented by which does not intend to store it on the device. Instead, by
moving processing operations to countries with no or less default, the data is sent to and stored on the (cloud) server
strict data protection laws [27]. European data protection of the app company. Sending the data requires an active
legal frameworks have therefore always been cautious connection between the device and the (cloud) server. If
about transferring data to third countries who are not part of this connection is unavailable, the data is most likely stored
the legal regime. In order to prevent data from being on the device until the connection is available.
transferred to ‘data havens’, the principle of equivalent
protection was introduced, meaning that there should be no There is a significant legal difference between the two
restrictions on transborder data flows to states with legal situations. In the first situation the app is closely related to
regimes which ensure data protection equivalent to data the data and therefore to the user, it is merely a means to an
protection offered by the GDPR. Chapter V of the GDPR is end. In the second situation, the purpose of the app or
dedicated to transfers of personal data to third countries or wearable is mainly to generate data. The device is not used
international organisations. Modern technologies process for storage or not meant to be used for storage. As soon as
data electronically, making it easy to transfer data across an active connection is available, the data is sent to the
the globe. The data can be sent from one actor to another or designated (cloud) server. In this regard, we can make an
made accessible to more than one actor in a blink of an eye. analogy with streaming data. The user might have the app
Modern technologies thus impact the way that personal on their mobile phone or wearable, but the data exists
health data can be collected. separately, outside this app. For example, when watching a
YouTube video, the app is solely used to stream the data
available on the YouTube server. While health apps and
– 193 –